Most companies conducting business in California or with customers in the state will need to comply with The California Consumer Privacy Act (CCPA). The act gives California consumers new rights regarding their personal information and goes into effect on January 1, 2020.
Fines for businesses that aren’t compliant will potentially begin to be issued in July 2020. The potential for fines will be levied on a per incident or consumer basis, and an accumulation of fines could result in significant cost concerns for your business.
Below, we outline how to determine if your business needs to be in compliance with the act and steps your company can take to prepare for its implementation.
Liable Companies and Activities
Only a few types of companies are exempt from the CCPA, such as not-for-profit businesses—with some exceptions, businesses with fewer than 20 employees, and financial institutions that are subject to the California Financial Information Privacy Act (CFIPA).
For-profit businesses that have established business relationships with California consumers are required to be compliant, including businesses in other US states and other countries if they perform the following activities:
- Conduct business in California, regardless of location
- Collect personal information of California residents
- Determine how consumers’ collected personal information is used
Businesses also meet the criteria if they have:
- Annual gross revenue of at least $25 million
- Directly or indirectly obtained personal information of 50,000 or more California residents, devices, or households annually
- 50% or more annual revenue derived from the sale of personal information about California residents
Personal Information Definition
It’s important to note that the terms personal information and sale are given expansive definitions under the CCPA, which greatly increases the scope of business to which the CCPA applies.
Personal information, however, is broadly defined and draws inspiration from the definition of personal data under the European Union’s General Data Protection Regulations (GDPR) which includes:
- Usual identifiers such as name, address, and social security number
- Expanded factors such as profession, education, purchase, and property info
- Digital information such as IP address, device ID, browsing history, and geolocation
- Unexpected categories such as audio, thermal, olfactory, or similar information
- Profile-driven information drawn from other categories to create a profile about a consumer
Personal information excludes publicly available information if information is used for reasons consistent with why the data was made publicly available.
Information is considered publically available if it’s lawfully made available from federal, state, or local government, but not if the biometric information about a consumer was collected by a business without their knowledge.
On September 23, 2018, Governor Jerry Brown of California signed Senate Bill 1121 which broadly amended the CCPA by:
- Eliminating the requirement that a consumer first notify the attorney general before bringing a private right of action
- Excluding health care providers governed by the California Confidentiality of Medical Information Act
- Eliminating any conflicts with the California Financial Information Privacy Act
- Limiting civil penalties assessed in an attorney general action to $2,500 or less per violation or $7,500 per each intentional violation
Since then, several additional amendments have been added to the CCPA such as the requirement for data brokers to register with the state’s attorney general’s office, determination the collection of personal information doesn’t cover job applicants, employees, and contractors for the first year, and exemptions for select data shared from business to business.
Clarifications are still being issued on CCPA with more expected in the future.
Three Compliance Tips
1. Avoid Selling Personal Information
You could avoid your business activities falling under the sale of personal information requirements by not sharing consumer information with third parties. Many businesses are beginning to position their privacy initiatives and customer trust as a major factor of their customer experience and brand identity.
If that’s not feasible for your business, there are additional steps you can take to help with compliance.
2. Update or Create Detailed Consumer Policies
It’s important to keep your consumers informed of their rights. Update your privacy policies to identify—before or at the point when information is collected—the categories of your consumers’ information that will be collected and the underlying purposes for its collection.
In your policies, you should describe your consumers’ rights to access, delete, and obtain personal information that’s already held by your business, as well as the sources of the information and with whom it’s been shared.
Customers should be aware of their ability to opt-out of sales of their personal information to third parties and their right not to be discriminated against for exercising their rights in regards to their personal information. You should also give consumers the opportunity to opt-in to your communications.
3. Be Ready to Respond to Consumers
Consider how you communicate your privacy language to consumers and if there are appropriate ways to do so specific to your audience. Updating your website to reflect your new privacy policies can allow you to link to all required disclosures and answer consumers’ questions.
Many consumers could reach out and request to access or delete the information you’ve collected. To prepare for such requests and remain complaint, it helps to implement policies and processes that will:
- Verify the identity of individuals making requests
- Provide timely portable copies of the requested information
- Delete personal information or claim statutory exception when requested
- Obtain assistance of service providers
We’re Here to Help
To learn more about how the CCPA could impact your business and prepare for its implementation, view our How to Leverage California’s Consumer Privacy Act webcast or contact your Moss Adams professional.